Pyherion

A recently implemented feature in Veil is the pyherion ‘crypter’ for all python payloads. This came about from thinking, “how far can we go with python obfuscation?”. AES/DES/etc. encryption of shellcode is great, but the decrypter stubs more or less remain the same. How can we randomize the file as much as possible?

Taking a cue from from the excellent Hyperion PE-crypter from the folks over at http://nullsecurity.net, let’s trying AES’ing the entire code string of the payload with a random key. Since this is python and not C, we’ll use pycrypto’s AES capability to encrypt the entire payload string with a randomized key. Using python’s exec() function, we can then execute the entire file after it’s decrypted dynamically. So we go from this:

To this:

That still has some standard patterns, so let’s base64 encode it and wrap it in another exec wrapper. This code will function fine as a straight python file, but what if we want to compile it to an exe using pyinstaller or py2exe? When building the binary, pyinstaller/py2exe needs to know what libraries to package with the python interpreter beforehand, so any imports need to be extracted out. Let’s shuffle those and import pycryto/base64 specifically as random names. We’re left with a series of randomized imports, and a single exec() statement that invokes a base64 encoded, then AES (with a random key) encoded string of our original payload file. This code changes every time its generated, even for the same start file:

This code is implemented in ./modules/common/crypters.py for all Veil python payloads. To use, set the “use_pyherion” to “Y” in the payload menu before generating your payload. A standalone version is in ./tools/pyherion.py , which will take (almost) any python file and produce a crypted version.